UK business should not ignore revelations about the US Prism internet surveillance programme
Whistleblower Edward Snowden has focused the media and government spotlight on cyber espionage, but revelations about the US Prism internet surveillance programme cannot be dismissed by UK business as being of little or no relevance.
At the very least, the rapid rise in cyber espionage highlights the need to rethink data security strategies to improve protection of intellectual property. Snowden’s revelations have also highlighted the need to think through the potential information security implications of every action or decision.
While Snowden claims he acted in the best interest of US citizens, many believe all he really
achieved is alerting potential attackers to the existence of a highly attractive store of
information, ripe for the picking.
It could be argued that by shouting it from the rooftops, Snowden has put the data collected by Prism at risk of attack from other state or non-state sponsored actors.
The Prism programme poses danger to the US government on several fronts, says Vladimir Jirasek, managing director of Jirasek Consulting Services.
First, he says the data the government collects is a treasure trove that other countries or large organisations, including underground ones, would like to get hands on.
Read more on Prism
- Security Think Tank: Prism unlikely to change much
- Security Think Tank: Prism fallout could be worse than security risks
- Security Think Tank: Prism is dangerous for everyone
- Security Think Tank: Prism – Sitting duck or elaborate honeypot?
- NSA surveillance whistleblower reveals identity
- US repeatedly hacked China, claims NSA whistleblower
- FBI spies on internet users
- UK links to US internet surveillance remain unclear
- Technology companies call for more transparency over data requests
- Compliance: The Edward Snowden, NSA program controversy continues
"Can we believe that the NSA, FBI and CIA, with approximately 100,000 authorised users can keep the data safe? Certainly, the leakages of the government secrets so far show that such an objective is beyond reach, and is most likely just wishful thinking,” says Jirasek.
Second, he believes there isgoing be retaliation towards the US and other nations that are perceived to have breached the “moral” code of the internet.
"We have all seen what a determined group of highly skilled cyber hackers and vigilantes can do. These attacks are most likely going to embarrass US government, rather than cause real damage though; unless the US national critical infrastructure is still connected to the internet. I bet this is the question that committees in the Congress are asking. We can only speculate on the answers,” says Jirasek.
Finally, he observes that the world’s governments and large enterprises have been spying on their enemies, competitors, and allies for centuries, but that the internet has made these activities much easier, which is something businesses cannot ignore.
Hord Tipton is a former US government CIO and the current executive director of information
security certification organisation (ISC)². He says that in considering whether the data collected
by Prism puts the US government at risk, it is worth looking at whether the vulnerability comes as
a result of the data having been collected and therefore presenting a target, or the reaction to
the will on the part of the US to collect.
"With regard to the data collection itself, few truly understand just how deep this exercise goes, and many speculate that it is not as deep as has been projected in the media furore. The risks here are therefore not clear and it is probably premature to speculate about them," he says.
However, Tipton believes the situation has the potential to undermine US intelligence activities across the world and as such expose agents to some degree.
"It is, however, hard to say if it is as damaging as the Wikileaks scandal or FBI spy Robert
Hansen’s revelations of our secrets, the latter of which resulted in nine reported executions of US
agents," he says.
Tipton believes that what leaves US authorities uneasy is the lack of clarity about what Snowden has or has not done, what he remains capable of, and to whom he may ally himself in the future.
"This is also a situation that has polarised society. No one sees this as a trivial incident. Privacy advocates continue to project him as a hero, while the rest of the community wants to hang him," he says.
Protect your intellectual property
- Amar Singh, chair of Isaca Security Advisory Group, explains how to defend your intellectual
Identify the IP, identify the people, the processes, the procedures, the functions that deal directly or indirectly with the IP, including third-party providers.
- Engage legal and HR to identify the best approach. Topics for discussion include: third party contract review, third party assessments for security due diligence, vetting the critical resources (meaning humans) – most companies do not carry out background checks on senior executives.
- Align the security strategy with the business strategy and ensure that any projects, big or small, first and foremost, align with the key strategic objectives.
- The information security officer must be a key member of the organisation’s project management office or equivalent and consequently there must be appropriate information security gates or checkpoints throughout, starting at the conceptual stage.
- IT Operations and information security teams need to ensure new software and tools – which are often considered for purely cost saving reasons – are vetted by the information security office so the output and benefits of such work are in line with the overall strategic objectives.
Among the potential consequences, says Tipton, is that revelations about Prism will motivate vigilante response from both sides, just as Wikileaks motivated many cyber activists to act, not just on authorities but also companies, such as Mastercard, who responded to demands to withdraw their service from this site.
"States, extremist groups and civil protesters alike may feel morally justified by this case to launch disruptive cyber attacks. The intended victims may feel justified to turn to vigilantism as they go on the offensive themselves,” he says.
Tipton believes that developments with the Stuxnet and Flame viruses illustrate that the world is already at a point in time when global corporations and international governments are intensely re-evaluating their organisations’ security strategies, no longer based on keeping hackers out but based on the assumption that hackers will penetrate their systems.
"It is less clear whether this developing offensive mentality and the potential for a cyber arms race represents an improvement or deterioration in our security posture,” he says.
However, he adds that, as the world continues to watch the Prism revelations unfold, many people will ask themselves, not whether we are more at risk, but rather whether we have the ability to govern the fallout
The lesson in this for businesses is not to ask whether or not they will be hit by a cyber attack, but whether they have the ability to govern the fallout from an attack by having set media liaison protocols to follow as part of their standard incident response plan. Information security professionals routinely observe that damage to a company reputation can be as costly as the data breach itself.
That said, the protection of intellectual property (IP) is something that no business organisation can ignore, according to Robert Newby, analyst and managing partner at analyst firm KuppingerCole UK.
"Prism is just the tip of a data privacy iceberg and, while cyber espionage makes great press, let’s get this straight from the outset: your data is at risk whether you are small, medium, large, a corporation, charity or nation. Moreover, your sensitive information is at risk,” he says.
And IP, he believes, is the most sensitive data, which businesses need to control because, if it
is compromised, the stability or the existence of a company or product could be affected.
“Think about what you are protecting, and why. Catalogue your information assets, then use a risk-management methodology to value them and the threats to them,” he says.
The next step is defence, and although “defence-in-depth” is a commonly used term, Newby says the concept is often misunderstood.
"Layers of security devices do not create layers of security on their own. Access needs to be
secured, monitored and logged. Applications need to be secured, monitored and logged,” he
Protection also requires policies and processes that take the context of information into account.
Many programmes do not capitalise on existing controls, says Newby. “Current security strategies will be based on network security, preventing data being widely available," he says.
This means data will be typically placed into read-only storage where it cannot be changed, gives guaranteed integrity, information will be watermarked so it can reveal its origins, and there will be an access management system that can report on the identity of anyone accessing sensitive information, says Newby.
"Just the knowledge that these systems exist can act as enough of a deterrent to keep
disgruntled employees at bay. The other physical and logical controls are enough to deal with the
remainder,” he says.
Newby concedes that all of this is simpler said than done, but says it is important to get the policies and processes around this level of protection right and warns businesses against avoiding difficult questions.
Whatever the eventual consequences of Edward Snowden’s revelations will be, he has at the very least achieved a new level of information security awareness and debate around the world.
"In the post-Prism era, no organisation can be under the illusion that it is not being spied on by its competitors and even enemies of the state.
"Therefore, there can no longer be any excuse for an organisation, no matter how small, for failing to have appropriate controls and policies in place to protect its information assets and deal with a cyber attack, both in terms of containing and mitigating the attack, and containing the reputational fallout
This was first published in October 2013